The Redistributable STS (RSTS) is a Secure Token Server component service designed to provide user authentication using standard federation protocols such as WS-Federation and OAuth 2.0. One Identity Manager uses the RSTS for authentication to web applications with Webauthn and OAuth 2.0.
For more information about the Webauthn configuration, see the One Identity Manager Web Application Configuration Guide.
To install the RSTS
-
Launch autorun.exe from the root directory of the One Identity Manager installation medium.
-
Switch to the Other products tab
-
Select One Identity Redistributable STS and click Install.
-
On the start page of the installation wizard, click Next.
-
On the Select database page, select the One Identity Manager database connection. Select a user who has a minimum of administrative permissions for the database.
-
On the Installation settings page, enter the required information.
-
On the Installation page you can see the installation progress. When the installation has finished, click Next.
-
Click Finish to close the installation wizard.
Related topics
Due to security issues, you cannot run any database queries directly from the user interface or from web applications. Specific SQL operators undergo a risk assessment that prevents them from being used by One Identity Manager components. This includes operators such as LIKE, NOT LIKE, <, <=, >, or >=.
In order to continue using certain functions in One Identity Manager components, users require the Common_AllowRiskyWhereClauses program function.
Users who do not have this program function can only run database queries that are classified as trusted or pose no risk (risk index = 0.0). Some of the functions in One Identity Manager components, such as testing dynamic roles or running filter queries, are not possible without this function.
If you want to allow certain users to run security-critical queries, you can assign permissions to users through permission groups.
-
The QBM_Critical_WhereClause permissions group is provided for non role-based login. This group owns the program function. Add the system users who are allowed to run security-critical queries to the permissions group. Administrative system users automatically obtain these permissions groups.
-
The QER_4_Critical_WhereClause permissions group is provided for non role-based login. This group owns the program function. The permissions group is linked to the Base roles | security-critical queries application role. Add the system users who are allowed to run security-critical queries in the application role.
Using configuration parameters, you can also control the risk assessment of running the SQL statements.
NOTE: The configuration parameters are effective only for users who have the Common_AllowRiskyWhereClauses program function.
-
Use the QBM | SQLCheck | RiskEvaluation configuration parameter to define the risk assessment of running the SQL statements. Permitted values are:
-
Low: SQL statements with some risk are allowed.
-
Medium: The risk of SQL statements is assessed at a mitigated level. Thus, the threshold for blocking the user is reached later and more queries are possible.
-
Strict: The risk of SQL statements is assessed in full. However, the user is not blocked until a certain threshold is reached.
If the configuration parameter is not set, the risk assessment is performed with the value Strict.
-
Use the QBM | SQLCheck | SubSelect configuration parameter to specify how SQL statements with sub-queries are assessed. If the configuration parameter is set, then places where SQL statements with sub-queries are found are classified as higher risk.
Notes for customizations
-
As an example, database queries that are required on customized forms or database queries that are run over the application server API, must be formulated as predefined database queries in One Identity Manager. Database queries are always run with the permissions of the current user. For more information about using predefined database queries, see the One Identity Manager Configuration Guide.
-
You will find examples on the installation medium in the QBM\dvd\AddOn\ApiSamples directory.
-
For the alphabetical display of objects such as employees or company structures, you can use the QERVFirstUnicodeChar table in customized menus.
The One Identity Manager tools can only be started if the user has the relevant program function permissions. The following program functions allow the One Identity Manager tools to be started.
To make the program function available to users
-
In the Designer under the Permissions > Program functions category, check which permissions group contains the required program function and assign the program functions to other permissions groups as necessary.
-
For non role-based login: Add the system user to the permissions group in the under Permissions > System users.
-
For role-based logins: Ensure that the user is assigned to the application role that owns the program function through its permissions group.
Table 41: Program functions for starting the One Identity Manager tools
ApplicationStart_Analyzer |
Allows the program Analyzer (Analyzer.exe) to be started. |
ApplicationStart_ConfigWizard |
Allows the program (ConfigWizard.exe) to be started. |
ApplicationStart_CryptoConfig |
Allows the program Crypto Configuration (CryptoConfig.exe) to be started. |
ApplicationStart_DataImporter |
Allows the program Data Import (DataImporter.exe) to be started. |
ApplicationStart_DBClone |
Allows the program (DBClone.exe) to be started. |
ApplicationStart_DBComparer |
Allows the program (DBComparer.exe) to be started. |
ApplicationStart_DBCompiler |
Allows the program Database Compiler (DBCompiler.exe) to be started. |
ApplicationStart_Designer |
Allows the program Designer (Designer.exe) to be started. |
ApplicationStart_JobQueueInfo |
Allows the program Job Queue Info (JobQueueInfo.exe) to be started. |
ApplicationStart_LaunchPad |
Allows the program Launchpad (LaunchPad.exe) to be started. |
ApplicationStart_LicenseMeter |
Allows the program License Meter (LicenseMeter.exe) to be started. |
ApplicationStart_Manager |
Allows the program Manager (Manager.exe) to be started. |
ApplicationStart_ObjectBrowser |
Allows the program Object Browser (ObjectBrowser.exe) to be started. |
ApplicationStart_OpSupport |
Enables start-up of the Operations Support Web Portal. |
ApplicationStart_ReportEdit |
Allows the program Report Editor (ReportEdit2.exe) to be started. |
ApplicationStart_SchemaExtension |
Allows the program Schema Extension (SchemaExtension.exe) to be started. |
ApplicationStart_ServerInstaller |
Allows the program Server Installer (ServerInstaller.exe) to be started. |
ApplicationStart_SoftwareLoader |
Allows the program Software Loader (SoftwareLoader.exe) to be started. |
ApplicationStart_SynchronizationEditor |
Allows the program Synchronization Editor (SynchronizationEditor.exe) to be started. |
ApplicationStart_SystemDebugger |
Allows the program (SystemDebugger.exe) to be started. |
ApplicationStart_Transporter |
Allows the program Database Transporter (Transporter.exe) to be started. |
ApplicationStart_WebDesignerCompiler |
Allows the program (VI.WebDesigner.CompilerCmd.exe) to be started. |
ApplicationStart_WebConfig |
Allows the program Web Designer Configuration Editor (WebConfigEditor.exe) to be started. |
ApplicationStart_WebDesigner |
Allows the program Web Designer (WebDesigner.exe) to be started. |
ApplicationStart_WebDesignerInstall |
Allows the program Web Installer (WebDesigner.Installer.exe) to be started. |
Related topics
NOTE:
-
Connections that do not use the expected access level for SQL Server logins are not shown in the connection dialog.
-
If you select an existing database connection in the connections dialog, the access level of the login to be used is shown in a tooltip.
You require the following minimum access level for One Identity Manager tools.
Table 42: Access level for One Identity Manager tools
Analyzer |
End user |
Application server |
End user or configuration user (depending on the application server's task) |
API Server |
End user |
Configuration Wizard |
Administrative user |
Crypto Configuration |
Configuration user |
Data Import |
End user
Configuration user (saves import definition) |
Database Transporter |
Configuration user |
Database Compiler |
Configuration user |
DBClone |
Administrative user |
DBComparer |
Configuration user |
Designer |
Configuration user
Some consistency checks require the administrative user access level. |
Job Queue Info |
Configuration user |
Launchpad |
End user
Some application that are started from the Launchpad, required different access levels |
License Meter |
End user |
Manager |
End user
Some functions require configuration user access levels, for example, opening synchronization projects for target systems. Some consistency checks require the configuration user or administrative user access level. |
HistoryDB Manager |
End user |
Object Browser |
End user |
One Identity Manager Service |
Configuration users for process collection with the MSSQLJobProvider |
Report Editor |
Configuration user |
Schema Extension |
Configuration user |
Server Installer |
Configuration user |
Software Loader |
Configuration user |
Synchronization Editor |
Configuration user |
System Debugger |
Configuration user |
Web Designer |
Configuration user |
Web Designer Configuration Editor |
Configuration user |
Web Portal |
End user |
Password Reset Portal |
End user |
Operations Support Web Portal |
End user |
AppServer.Installer.CMD.exe |
Configuration user |
AutoUpdate.exe |
Configuration user |
DBCompilerCMD.exe |
Configuration user |
DBConsCheckCmd.exe |
End user
Some consistency checks require the configuration user or administrative user access level. |
DataImporterCMD.exe |
End user |
DBTransporterCMD.exe |
Configuration user |
Quantum.MigratorCmd.exe |
Administrative user |
SchemaExtensionCmd.exe |
Configuration user |
SoftwareLoaderCMD.exe |
Configuration user |
VI.WebDesigner.CompilerCmd.exe |
Configuration user |
WebDesigner.InstallerCMD.exe |
Configuration user |
Related topics